Apache
In your httpd.conf file, disable the "Indexes" option for the appropriate <Directory> tag by removing it from the Options line.
In addition, you should always make sure that proper permissions are set on all files and directories within the web root (including CGI scripts and
backup files). Do not copy files in the web root unless you want these files to be available over the web. Periodically go through your web directories
and clean out any unused, obsolete, or unknown files and directories.

Fix Cross Site Scripting Vulnerability

2 hours

Audit the affected url and other similar dynamic pages or scripts that could be relaying untrusted malicious data from the user input. In general, the
following practices should be followed while developing dynamic web content:
• Explicitly set the character set encoding for each page generated by the web server
• Identify special characters
• Encode dynamic output elements
• Filter specific characters in dynamic elements
Examine cookies For more information on the above practices, read the following CERT advisory: CERT Advisory CA-2000-02
• For ASP.NET applications, the validateRequest attribute can be added to the page or the web.config. For example:
<%@ Page ... validateRequest="true" %>
OR
<system.web>
<pages validateRequest="true" />
</system.web>
In addition, all dynamic content should be HTML encoded using HTTPUtility.HTMLEncode.
• For PHP applications, input data should be validated using functions such as strip_tags and utf8_decode. Dynamic content should be HTML
encoded using htmlentities.
For Perl applications, input data should be validated whenever possible using regular expressions. Dynamic content should be HTML encoded using
HTML::Entities::encode or Apache::Util::html_encode (when using mod_perl).

Configure the server to disable support for weak ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For other servers, refer to the respective vendor documentation to disable the weak ciphers

Disable HTTP TRACE Method for Apache

4 hours

Apache
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable. To deny TRACE requests, add the
following line to the server configuration:
TraceEnable off
For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Add the Secure flag to cookies sent over SSL

30 minutes

For each cookie sent over SSL in your web-site, add the "Secure" flag to the cookie. For example:
Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

Disable WebDAV for Apache

30 minutes

Apache
Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.

For BIND 9.3.6-P1-RedHat-9.3.6-16.P1.el5
These vulnerabilities can be resolved by performing the following 2 steps. The total estimated time to perform all of these steps is 8 hours.
Remediation Step

• As of January 2010 there are four major versions that are still supported: BIND 9.3.6-P1
• BIND 9.4.3-P5
• BIND 9.5.2-P2
BIND 9.6.1-P3
Upgrade to ISC BIND 9.5.1p3

2 hours

General
These vulnerabilities can be resolved by performing the following 3 steps. The total estimated time to perform all of these steps is 16 hours 30 minutes.
Remediation Step

Estimated Time

Enable TCP MD5 Signatures

4 hours

Enable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security attacks on BGP,
such as TCP resets.

Locate and fix vulnerable traffic inspection devices along the route to the target

12 hours

In many situations, target systems are, by themselves, patched or otherwise unaffected by this vulnerability. In certain configurations, however,
unaffected systems can be made vulnerable if the path between an attacker and the target system contains an affected and unpatched network
device such as a firewall or router and that device is responsible for handling TCP connections for the target. In this case, locate and apply
remediation steps for network devices along the route that are affected.

Disable ICMP timestamp responses

30 minutes

Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective solution is to
configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response).

For OpenSSH 4.3
These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 2 hours 30 minutes.
Remediation Step

Estimated Time

Upgrade to the latest version of OpenSSH

2 hours 30 minutes

The latest version of OpenSSH is 5.2 (OpenBSD source) and 5.2p1 (portable source), both released on February 22, 2009.
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH. These prebuilt packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are
available for your operating system.

For Dovecot
These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 3 hours.
Remediation Step

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate
depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then
sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a
certificate from a trusted external Certificate Authority, such as Thawte or Verisign.

For exim 4.69
These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 3 hours.
Remediation Step

Estimated Time

Replace TLS/SSL self-signed certificate

3 hours

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate
depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then
sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a
certificate from a trusted external Certificate Authority, such as Thawte or Verisign.

For Linux 2.6.13
These vulnerabilities can be resolved by performing the following 2 steps. The total estimated time to perform all of these steps is 35 minutes.
Remediation Step

Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.ipv4.tcp_timestamps=0

Page 29
Â

LE Global Services Sdn Bhd (ASV No: 5040-01-01) PCI Host Details

For MySQL 5.1.56
These vulnerabilities can be resolved with a single step. The estimated time to perform this step is 30 minutes.
Remediation Step

Estimated Time

Restrict database access

30 minutes

Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an
internal network zone, segregated from the DMZ